SAN DIEGO -- System administrators should consider keeping minimum log records and brushing up on privacy laws...
to better protect employees' right to free speech, according to an attorney with the non-profit Electronic Frontier Foundation.
While IT shops can use computer logs to spot malicious activity on machines, they can also be used as part of a "very effective" surveillance tool against individuals and companies, Kevin Bankston, a privacy and free speech lawyer specializing in government surveillance, told attendees at last week's annual Usenix Large Installation System Administration conference.
That means more companies -- and the system administrators that maintain their computing environments -- are being called upon to let intelligence and law enforcement agencies tap electronic communications streaming in and out of their network. Most popular targets are e-mail providers, ISPs, telecoms and online message board operators, all of whom are subject to subpoenas for information and many of whom comply without ever notifying the user, Bankston said. That's because it's usually "much cheaper" to hand over requested information, such as individual IP addresses, than to challenge the request.
Therefore, the more information you keep in your system and workstations, the greater the risk of becoming a target or having to be put in an uncomfortable situation with customers and business partners. That includes users of Google's 2-gigabyte Gmail, Microsoft's Hotmail and other Web-based e-mail providers that boast free, expansive storage capabilities.
"Most people don't realize the longer they leave their e-mail with a provider, the less legal protection they have," the attorney said.
Bankston also urged sysadmins to educate employees about the technologies they're using, including their legal limitations, and to school themselves on laws such as the Electronic Communications Privacy Act of 1986 and the more recent USA PATRIOT Act of 2001. He also noted that although the 1986 law expanded court-ordered pen registers and trap-and-trace devices, the vast majority of requests still target telephone wiretaps.
But that may change, and rapidly, as companies move towards voice over Internet Protocol (voIP) systems to save money and investigations seek to tap specific IP traffic and rummage through network traffic logs. "One of the most important things you can do is help educate end users on how they can be tracked online," Bankston said.
He also advised sysadmins to pare down their log files, which may run counter to a company's culture that frequently encourages saving each and every data file in the event an item, however obscure, is needed for business -- and quickly. Keeping detailed logs is also considered an essential part of regulatory compliance. But such copious data stores also make the company more susceptible to secret intelligence and police sweeps. "It's a pain to store all that data, and it's a pain if someone knows about it," he said. "If you only keep X amount and they know it, they'll leave you alone.
"You really ought to think carefully: 'What do I really need to do my job? What logs do I have to keep?' and take it backward from there."
Bankston recommend enterprises also maintain written policies addressing data collection and retention that encourages keeping the minimum information necessary for an organization to function well.
In the event an enterprise is required to assist law enforcement or intelligence agents, Bankston recommends sysadmins negotiate for the best way to keep all but the targeted employees' or business partners' traffic interference-free. That includes paying special attention to any surveillance tools mandated by court order. It's possible to provide your own homegrown system rather than Uncle Sam's hardware and software, to ensure the technologies don't break other applications and that they don't cast too wide a net while eavesdropping as data streams through a box.
"They can't do it without your help. That gives you leverage," Bankston said. "If you system is configured in a way that it's difficult to tap, you don't have to do custom coding to change your service," he advised. One unnamed company, which operated a remote car service such as emergency assistance, recently sued to block a government surveillance tool that disrupted its service. Bankston said the courts ruled the government must create a way to eavesdrop that wouldn't interfere with the company's ability to serve its customers.
Bankston also reminded the audience that even when issued a "super-secret order," the company still has the right to consult an attorney to determine the best course of action.